express-jwt
Advanced tools
express-jwt - npm Package Compare versions
+23
-1
| # Change Log | ||
| All notable changes to this project will be documented in this file starting from version **v4.0.0**. | ||
| This project adheres to [Semantic Versioning](http://semver.org/). | ||
| ## 6.0.0 - 2020-06-29 | ||
| - Made algorithms mandatory ([304a1c5968aed7c4c520035426fc09142156669d](https://github.com/auth0/express-jwt/commit/304a1c5968aed7c4c520035426fc09142156669d)) | ||
| ## 5.3.3 - 2020-04-27 | ||
| - Improvements to documentation | ||
| ## 5.3.2 - 2020-04-27 | ||
| - Updated build to run on Node 8, 10 and 12 [178928266c3cf2fed3f9e013722cc8d29d4672ba](https://github.com/auth0/express-jwt/commit/178928266c3cf2fed3f9e013722cc8d29d4672ba) | ||
| - Updated JSON web token dependency [11f3ac49736f37c5b74cd67bde87c50fdca19868](https://github.com/auth0/express-jwt/commit/11f3ac49736f37c5b74cd67bde87c50fdca19868) | ||
| ## 5.3.0 - 2017-04-17 | ||
| - Export unauthorized error [d662501f75b60e79f0e02e8df325a7960187af65](https://github.com/auth0/express-jwt/commit/d662501f75b60e79f0e02e8df325a7960187af65) | ||
| - Updated JSON web token library [fcf97715a5a11cbf7b828a3fa953e4c644856706](https://github.com/auth0/express-jwt/commit/fcf97715a5a11cbf7b828a3fa953e4c644856706) | ||
| - Added support for `resultProperty` [c2aa463f69fea5535dc14da86f8ea13436e72d04](https://github.com/auth0/express-jwt/commit/c2aa463f69fea5535dc14da86f8ea13436e72d04) | ||
| ## 5.2.0 - 2016-10-07 | ||
| - Added changelog [34dd51dde3fd83182bd076d9a9378626d17152f2](https://github.com/auth0/express-jwt/commit/34dd51dde3fd83182bd076d9a9378626d17152f2) | ||
| ## 5.1.0 - 2016-10-04 | ||
@@ -8,0 +30,0 @@ |
+2
-2
| { | ||
| "name": "express-jwt", | ||
| "version": "6.0.0", | ||
| "version": "6.1.0", | ||
| "description": "JWT authentication middleware.", | ||
@@ -33,3 +33,3 @@ "keywords": [ | ||
| "async": "^1.5.0", | ||
| "express-unless": "^0.3.0", | ||
| "express-unless": "^1.0.0", | ||
| "jsonwebtoken": "^8.1.0", | ||
@@ -36,0 +36,0 @@ "lodash.set": "^4.0.0" |
+27
-9
@@ -21,3 +21,3 @@ # express-jwt | ||
| app.get('/protected', | ||
| jwt({ secret: 'shhhhhhared-secret' }), | ||
| jwt({ secret: 'shhhhhhared-secret', algorithms: ['HS256'] }), | ||
| function(req, res) { | ||
@@ -33,5 +33,18 @@ if (!req.user.admin) return res.sendStatus(401); | ||
| ### Required Parameters | ||
| The `algorithms` parameter is required to prevent potential downgrade attacks when providing third party libraries as **secrets**. | ||
| :warning: **Do not mix symmetric and asymmetric (ie HS256/RS256) algorithms**: Mixing algorithms without further validation can potentially result in downgrade vulnerabilities. | ||
| ```javascript | ||
| jwt({ | ||
| secret: 'shhhhhhared-secret', | ||
| algorithms: ['HS256'] | ||
| //algorithms: ['RS256'] | ||
| }) | ||
| ``` | ||
| ### Additional Options | ||
| You can specify audience and/or issuer as well: | ||
| You can specify audience and/or issuer as well, which is highly recommended for security purposes: | ||
@@ -42,3 +55,4 @@ ```javascript | ||
| audience: 'http://myapi/protected', | ||
| issuer: 'http://issuer' | ||
| issuer: 'http://issuer', | ||
| algorithms: ['HS256'] | ||
| }) | ||
@@ -52,3 +66,4 @@ ``` | ||
| ```javascript | ||
| jwt({ secret: new Buffer('shhhhhhared-secret', 'base64') }) | ||
| jwt({ secret: Buffer.from('shhhhhhared-secret', 'base64'), | ||
| algorithms: ['RS256'] }) | ||
| ``` | ||
@@ -59,3 +74,3 @@ | ||
| ```javascript | ||
| app.use(jwt({ secret: 'shhhhhhared-secret'}).unless({path: ['/token']})); | ||
| app.use(jwt({ secret: 'shhhhhhared-secret', algorithms: ['HS256']}).unless({path: ['/token']})); | ||
| ``` | ||
@@ -71,3 +86,3 @@ | ||
| var publicKey = fs.readFileSync('/path/to/public.pub'); | ||
| jwt({ secret: publicKey }); | ||
| jwt({ secret: publicKey, algorithms: ['RS256'] }); | ||
| ``` | ||
@@ -81,3 +96,3 @@ | ||
| ```javascript | ||
| jwt({ secret: publicKey, requestProperty: 'auth' }); | ||
| jwt({ secret: publicKey, algorithms: ['RS256'], requestProperty: 'auth' }); | ||
| ``` | ||
@@ -88,3 +103,3 @@ | ||
| ```javascript | ||
| jwt({ secret: publicKey, resultProperty: 'locals.user' }); | ||
| jwt({ secret: publicKey, algorithms: ['RS256'], resultProperty: 'locals.user' }); | ||
| ``` | ||
@@ -104,2 +119,3 @@ | ||
| secret: 'hello world !', | ||
| algorithms: ['HS256'], | ||
| credentialsRequired: false, | ||
@@ -146,3 +162,3 @@ getToken: function fromHeaderOrQuerystring (req) { | ||
| app.get('/protected', | ||
| jwt({ secret: secretCallback }), | ||
| jwt({ secret: secretCallback, algorithms: ['HS256'] }), | ||
| function(req, res) { | ||
@@ -181,2 +197,3 @@ if (!req.user.admin) return res.sendStatus(401); | ||
| secret: 'shhhhhhared-secret', | ||
| algorithms: ['HS256'], | ||
| isRevoked: isRevokedCallback | ||
@@ -208,2 +225,3 @@ }), | ||
| secret: 'hello world !', | ||
| algorithms: ['HS256'], | ||
| credentialsRequired: false | ||
@@ -210,0 +228,0 @@ })); |
New alerts
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Fixed alerts
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
45615
4.71%- Number of lines in readme file
245
7.93%Dependency changes
+ Added
express-unless@1.0.0(transitive)- Removed
express-unless@0.3.1(transitive)Updated
express-unless@^1.0.0